From: Florian Westphal <fw@strlen.de>
To: Klaus Ethgen <Klaus+lkml@ethgen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: conntrack_ftp and DNAT
Date: Thu, 16 Feb 2017 01:17:32 +0100 [thread overview]
Message-ID: <20170216001732.GA10526@breakpoint.cc> (raw)
In-Reply-To: <20170211220544.qe3tvfrrisllesix@ikki.ethgen.ch>
Klaus Ethgen <Klaus+lkml@ethgen.de> wrote:
> allow me to ask a question about conntrack and nf_conntrack_ftp and
> nf_nat_ftp and DNAT.
>
> I have a host where I do DNAT from the main IPv4 address to the backend
> ftp server. Currently I have the server data connections limited to a
> small port range and have a hard wired DNAT of that port range to the
> ftp server too. But this is not optimal as that port range is not open
> for other connections.
>
> I wanted to replace that with conntrack but failed.
>
> Here are the relevant entries in iptables:
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 21 -j CT --helper ftp
> iptables -t nat -A PREROUTING -d X.X.X.X/32 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 10.0.0.3
> iptables -t nat -A PREROUTING -d X.X.X.X/32 -p tcp -m tcp --dport 52100:52199 -j DNAT --to-destination 10.0.0.3
> iptables -A FORWARD -d 10.0.0.3/32 -o br0 -p tcp -m tcp --dport 52100:52199 -m helper --helper ftp -j ACCEPT
> iptables -A FORWARD -d 10.0.0.3/32 -o br0 -p tcp -m tcp --dport 52100:52199 -j ACCEPT
>
> The second last rule never gets any hit (That is the reason for the last
> rule).
>
> I inserted several logging rules to see if a package gets conntrack
> marked by the ftp helper but for me it seems that this is never the
> case.
Strange, and I can't tell you why its not working.
This should be enough:
# make sure ftp helper checks standard control connection
iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp
# nat control connection
iptables -t nat -A PREROUTING -d X.X.X.X/32 -p tcp --dport 21 -j DNAT --to-destination 10.0.0.3
# accept all traffic handled by ftp helper)
iptables -A FORWARD -d 10.0.0.3/32 -o br0 -p tcp -m helper --helper ftp -j ACCEPT
The common 'not working' reasons are:
1. control traffic gets encrypted (i.e. tls extension is used)
2. ftp server uses foreign (non-local) ip addresses in PORT command
(this needs fixing of ftp server or use of 'loose' mode, see modinfo
nf_conntrack_ftp)
you seem to be using a bridge, maybe there is some bug w.
call-iptables... I can have a look next week.
> Allow be also to say that this helper stuff is somehow underdocumented
> and could be improved a bit more. ;-)
Yes :-(
next prev parent reply other threads:[~2017-02-16 0:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-11 22:05 conntrack_ftp and DNAT Klaus Ethgen
2017-02-16 0:17 ` Florian Westphal [this message]
2017-02-16 8:19 ` Klaus Ethgen
2017-02-16 8:41 ` Florian Westphal
2017-02-16 12:07 ` Klaus Ethgen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170216001732.GA10526@breakpoint.cc \
--to=fw@strlen.de \
--cc=Klaus+lkml@ethgen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.